Vista Activation Cracked by Brute Force 470
Bengt writes "The Inquirer has a story about a brute force Vista key activation crack. It's nothing fancy; it's described as a 'glorified guesser.' The danger of this approach is that sooner or later the key cracker will begin activating legitimate keys purchased by other consumers. From the article: 'The code is floating, the method is known, and there is nothing MS can do at this point other than suck it down and prepare for the problems this causes. To make matters worse, Microsoft will have to decide if it is worth it to allow people to take back legit keys that have been hijacked, or tell customers to go away, we have your money already, read your license agreement and get bent, we owe you nothing.'"
Re:Easy Fix (Score:4, Informative)
Re:MS would owe at least the key (Score:3, Informative)
Re:Easy Fix (Score:3, Informative)
Re:Easy Fix (Score:5, Informative)
Re:MS would owe at least the key (Score:2, Informative)
The problem is that it's one-way and reversing it is mathematically hard, so it's easier just to try a scatter-gun approach.
it is useless (Score:5, Informative)
Re:MS would owe at least the key (Score:5, Informative)
Re:MS would owe at least the key (Score:5, Informative)
Re:MS would owe at least the key (Score:5, Informative)
Re:MS would owe at least the key (Score:5, Informative)
Why, yes. Rechecking the activation key against an updated list of revoked licenses takes place as part of the periodic updates to "Windows Validation" delivered via Windows Update. In practice under XP, this happens every month to every few months. Depending on your settings and whatever the future might bring, it might well be the case that machines will be checking for updates & possibly re-validating themselves every week.
Having RTFA... (Score:5, Informative)
What we have here is a random number/letter guesser. It's basically a VB Script that guesses random numbers and letters in a string that is the same length as a Vista Key, then inserts it into the registry, overwriting the existing Vista key. You use Magic Jellybean to check when the key has changed, and then manually check it against MS's activation service. Really this is little more than a person manually sitting down and making key guesses. This is why it's called a "Brute Force" attack. There is no intelligence (ie: an algorithm) behind the key guesses at all.
That said, because it IS so simple, it's almost impossible for MS to defend against, since they can't just "ban" any keys made by it like they would a traditional algorithmic keygen. Also, there is an improved version of it posted as source on the boards there, so if you want to take a peek at the code you can.
Here is a link to the forum post in question: http://keznews.com/forum/viewtopic.php?t=2634 [keznews.com]
Re:MS would owe at least the key (Score:5, Informative)
Not in the UK (Score:5, Informative)
That may be the case in the US, but in the UK things work slightly differently. If I buy a copy of Vista from a store and it is faulty, for what ever reason, I can return it to the store for a full refund or a replacement. The legalese is "fit for purpose" and "of merchantable quality". Clearly, a copy of vista with an invalid licence key is not fit for purpose.
Incidentally, most of the big shrinkwrap software stores in the UK try to get out of doing this if they can. Just be persistent.
Brute force Crack (Score:3, Informative)
I saw one at a LAN party that had every copy of windows, every copy of office, and a whole bunch of Microsoft products.
You would set it and forget it. It would generate a key, test it and then if it was good put it in a log file, if it was bad it would attempt to generate another.
This kid had a list of probably 1000 WinXp pro keys that had generated just because he was bored.
Re:Welcome to the non free world. (Score:5, Informative)
There's this little thing called an implied warranty of fitness for a particular purpose. When you buy something -- anything -- unless it has large letters on the outside of the box saying that it doesn't work, it comes with one. It states that, basically, if you use the product for the purpose for which it is marketed (i.e., with software, try to run it on a computer), it will perform that purpose to at least a basic level.
It is not legally possible for MS's EULA to disclaim this warranty, it's a basic right that you get when you buy something.
When you buy something that doesn't meet this warranty, you're entitled to a full refund. Whether you've opened the package or not.
Re:MS would owe at least the key (Score:1, Informative)
In Soviet Russia
Re:MS would owe at least the key (Score:3, Informative)
The buisness users can purchase an "Activation server" they maintain in house and can configure their workstations to call it to verify they have legit keys. The Activation server in house still has to call Microsoft every 180 days to verify all the license information it has.
The in house Activation server came about because of Government and Private organizations that want to have unconnected secured networks. Though the "Activation Server" needing to call MS every few months can result in a "potential breach" or extra wasted IT staff hours as you call the phone number to manually activate again...
Another option you have, though Microsoft claims that they did not enable it in Vista, as Volume License keys will be used in house only and no longer shipped out to customers, are the MAK license options in their Volume license 2.0 program. But as I said, MS claimed at their launch day event they will not be shipping any such versions of Vista...
http://www.microsoft.com/technet/windowsvista/pla
Re:MS would owe at least the key (Score:3, Informative)
Re:MS would owe at least the key (Score:4, Informative)
Your assumption here seems to stand on rather shaky ground, though... I'm sure that you can run more services than just the authentication mechanism - I would expect that you'd probably want to run the license authentication service on your domain controller or something similar, unless you're in a really gigantic shop.
Re:MS would owe at least the key (Score:5, Informative)
How is it any different than needing a corporate license server for Autocad, or Rational, or any of the other software commonly licensed this way on the corporate level? It's not like these license servers are terribly difficult to maintain.
I think you imagine the maintenance to be a lot harder than it really is. Maintaining a single license server has, in my experience, been easier than maintaining hundreds of keys individually.
Sit down, son. (I might have known your mother) (Score:4, Informative)
Quit downloading everything in your email. If you don't recognize the name, delete it.
Don't click "Yes" to every security certificate. You should accept Microsoft's, and that's it.
You don't require new cursors or smiley programs for your emails. The new "Hyper-Exelent Surf 3000 Toolbar by Lucky 88 Company" is not going to make your life easier. Likewise, if you want to know the weather, look outside or in your local paper.
PC Cleaning programs from pop-up ads don't work. Actually, anything advertised on the Internet should be considered fraudulent. (Yes, even "those" pills. They're just bull semen and corn starch.)
Get your programs from sourceforge, not from the first link on Google. Make sure that Spybot and Mike's adblocking are installed on your machine.
The people who write viruses have anti-virus programs to test their work on.
For the sake of whatever god you believe in, get a hardware firewall!
Run ShieldsUP! from grc.com to make sure that you're invisible.
Re:MS would owe at least the key (Score:1, Informative)
I have not nor I am ever likely to BUY/PURCHASE software from Microsoft. I have purchased/bought a LICENSE to use Microsoft software under THEIR terms.
Essentially, you have RENTED an item and person/entity is checking to make sure you are using it in accordance with applicable laws and within the terms of the license/rental agreement you accepted.